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Abstract 

The fc-set agreement problem is a generalization of the classical consensus problem in which 
processes are permitted to output up to k different input values. In a system of n processes, an 
m-obstruction-free solution to the problem requires termination only in executions where the 
number of processes taking steps is eventually bounded by m. This family of progress conditions 
generalizes wait-freedom (to = n) and obstruction-freedom (to = !)• In this paper, we prove 
upper and lower bounds on the number of registers required to solve m-obstruction-free fc-set 
agreement, considering both one-shot and repeated formulations. In particular, we show that 
repeated fc set agreement can be solved using n+2m—k registers and establish a nearly matching 
lower bound of n -|- to — fc. 


1 Introduction 

Algorithms that allow processes to reach agreement are one of the central concerns of the 
theory of distributed computing, since some kind of agreement underlies many tasks that require 
processes to coordinate with one another. In the classical consensus problem, each process begins 
with an input value, and all processes must agree to output one of those input values. Chaudhuri 
[3] introduced the fc-set agreement problem, which generalizes the consensus problem by allowing 
processes to output up to fc different input values in any execution. Consensus is the special case 
where fc = 1. Set agreement is trivial for n processes if fc > n: each process can simply output its 
own input value. 

We consider the fc-set agreement problem for fc < n in an asynchronous system equipped with 
shared read/write registers. To satisfy wait-free termination, non-faulty processes must terminate 
even if an arbitrary number of processes fail. The impossibility of solving wait-free fc-set agreement 
using registers was a landmark result proved by three groups of researchers However, 

Herlihy, Luchangco and Moir [9] observed that fc-set agreement is solvable (even for fc = 1) under 
a weaker termination property, known as obstruction-freedom or solo-termination, which requires 
that a process must eventually terminate if it takes enough steps without interruption from other 
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processes. Obstruction-freedom was introduced as a way of separating concerns: obstruction-free 
algorithms maintain safety properties in all possible executions, bnt make progress only when one 
process can run for long enough without encountering contention. Various scheduling mechanisms 
designed to reduce contention (such as backing off) can then be used to satisfy this condition. 

Taubenfeld [12] introduced the m-obstruction-freedom progress property, which requires that, in 
any execution where at most m processes take infinitely many steps, each process that continnes to 
take steps will eventually terminate successfully. Wait-freedom and obstruction-freedom are special 
cases, with the extreme valnes m = n and m = 1, respectively. Like ordinary obstruction-freedom, 
m-obstruction-free algorithms guarantee safety in all rnns. However, m-obstruction-freedom pro¬ 
vides a stronger progress property: larger values of m require less rigid constraints on the scheduler 
in order to ensure progress. Since k-set agreement has no wait-free solution among k-\-l processes, 
it follows that there is no m-obstruction free solution when m > k. The converse follows from the 
work of Yang, Neiger and Gafni [T3|: m-obstruction-free A:-set agreement can be solved if m < /c. 
In this paper, we study how the number of registers required to solve m-obstruction-free k-set 
agreement among n processes depends on the parameters m, k and n. 

Previonsly, the only non-trivial space lower bound was for the very special case where m = k = 1. 
In this case, Fich, Herlihy and Shavit jB] showed Q.{y/n) registers are needed. The best upper bound 
for this case is the trivial one of n registers, which comes from the fact that n (large) single-writer 
registers can implement any number of multi-writer registers m- Closing the gap between the 
linear upper bound and the kl{y/n) lower bound is a major open problem. Unfortunately, there has 
been no progress on this gap in the past two decades. 

We first prove nearly tight linear upper and lower bounds on the nnmber of registers reqnired 
for repeated set agreement. In many applications, such as Herlihy’s universal constrnction [8|, there 
is a sequence of (independent) agreement tasks that must be solved, rather than just one. We 
define the repeated k-set agreement problem to model this situation. Processes access an infinite 
sequence of instances fc-set agreement in order. For all executions and for all f, processes accessing 
the fth instance of k-set agreement may ontput at most k of the values that are used as inputs to 
that instance. 

We prove that any m-obstruction-free solntion to repeated A:-set agreement among n processes 
reqnires at least n-\-m — k registers. We also give a novel algorithm for this task using min(n-|-2m — 
k, n) registers. Previously, the only known set agreement algorithm that nses fewer than n registers 
was a I-obstruction-free k-set agreement algorithm that nses 2n — 2k registers |3]. Onr algorithm 
generalizes that algorithm (to handle any value of m) and improves the nnmber of registers used in 
the case where m = I from 2{n — k) to n — k-\-2. For the case where m = fc = I, our results establish 
that obstruction-free repeated consensus requires exactly n registers. Thus, the gap between the 
H(-y/n) lower bound and the 0(n) upper bound is closed when we consider the repeated version of 
the problem. 

For the one-shot version of k-set agreement, we focns on the restricted case of anonymons 
systems, where processes do not have nnique identifiers and are all programmed identically. We 
prove that any anonymons algorithm must use more than — 2) registers. The H(-y/n) lower 

bound of Fich, Herlihy and Shavit (H] (for the anonymons case) is a special case of our result 
with m = k = 1, but the new result gives additional insight into the problem by showing a 
dependence on m and k. Moreover, the technique used in onr proof is somewhat different, since it 
reqnires building an execution involving many different input values where each process is prevented 
from learning about any input value different from its own. We also prove that it is possible 
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Figure 1: Lower and upper bounds on the number of registers to solve m-obstruction-free k-set 
agreement among n processes, where 1 < m < k < n and input values are from domain D (with 
\D\ > k). Our main results appear in boldface; the others are corollaries. 


to solve the problem anonymously. Our algorithm for the repeated version of the problem uses 
(m + l){n — k) + m? + 1 registers. (The usual construction using n single-writer registers is not 
applicable, since it presupposes unique identifiers.) 

Figure [^summarizes our results. Our four main results are in boldface; the others are corollaries. 


2 Preliminaries 

We consider the standard asynchronous shared-memory model, in which n > 1 processes 
pi, ... ,Pn communicate by applying read and write operations to shared registers. The regis¬ 
ters are multi-writer and multi-reader, i.e., there are no restrictions on which processes may access 
which registers. 

Each process has a local state that consists of the values stored in its local variables and a 
programme counter. A computation of the system proceeds in steps performed by the processes. 
Each step is one of the following: (1) an invocation of an operation, (2) a read or write operation 
on a shared register, (3) local computation that results in a change of a process’s state, or (4) a 
response of an operation. Writes update the state of a shared register. All steps may update the 
local state of the process that performs it. A configuration specifies the state of each register and 
the local state of each process at one moment. In an initial configuration, all registers have the 
initial values specified by the algorithm and all processes are in their initial states. 

A process is active if an operation has been invoked on the process but the operation has 
not yet produced a matching response; otherwise the process is called idle. We assume that an 
operation can only be invoked on an idle process and only active processes take steps. We focus on 
deterministic algorithms. Thus, given the current local state of an active process, the algorithm for 
this process stipulates the unique next step the process can perform. An execution fragment of an 
algorithm is a (possibly infinite) sequence of steps starting from some configuration that “respects” 
the algorithm for each process. An execution is an execution fragment that starts from the initial 
configuration. An operation is completed if its invocation is followed by a matching response. In 
an infinite execution, a process is correct if it takes an infinite number of steps or is idle from some 
point on. 

Our algorithms make use of multi-writer snapshot objects [T], which can be implemented from 
registers. A snapshot object stores a vector of r values and provide two atomic operations: 
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update{i,v) {i G {1, • • •,?’}), which writes value v to component i, and scanQ, which returns the 
vector of the most recently written values to components 1,... ,r. 

2.1 Set agreement 

We begin with a formal definition of the repeated k-set agreement problem. Processes may perform 
Propose(u) operations, where v is drawn from an input domain D. Each Propose operation 
outputs a response from D when it terminates. For an execution a, let Ini(a) be the set of values 
that are used as the argument to some process’s ith invocation of Propose and let Outi{a) be 
the set of values that are the response of some process’s ith Propose operation. Then, in every 
execution a of an algorithm that solves repeated /c-set agreement the following properties must 
hold. 


• Validity: Vi, Outi{a) C Ini{a). 

• k-Agreement: Vi, \Outi{a)\ < k. 

An m-obstruction-free algorithm must additionally satisfy the following termination condition. 

• m-Obstruction-Freedom: in every execution in which at most m processes take infinitely many 
steps, every correct process completes each of its operations. 

The special case when A: = 1 is called consensus. In the (one-shot) k-set agreement problem, 
every process invokes Propose at most once. 

It is known that wait-free {k + I)-process k-set agreement cannot be solved using registers [21 
doidi]. This implies the following lemma, which we shall use to prove our space lower bounds. 

Lemma 1. Let A be any algorithm that solves m-obstruction-free k-set agreement using registers. 
For any set V of m input values and any set Q of m processes, there is an execution of A in which 
only processes in Q take steps and all values in V are output. 

Proof. Suppose the opposite for some sets V and Q and consider all executions of A in which only 
processes in Q with inputs in V take steps. By the assumption, at most m — 1 distinct values 
are decided in each of these executions, which implies a wait-free m-process (m — l)-set agreement 
algorithm, violating punidi]. □ 

Lemma [^implies that no algorithm can solve m-obstruction-free k-set agreement using registers 
if A; < m. In the rest of the paper, we derive lower and upper bounds on the space complexity of 
m-obstruction-free A:-set agreement for n processes, where m < k < n. (It k > n, the problem is 
trivial and no registers are required: each process can simply output its own input value.) 

3 Lower Bound for Repeated Set Agreement 

In this section, we prove that solving m-obstruction-free repeated A;-set agreement among n 
processes requires at least n + m — k registers. Since the proof is technical, we first provide a brief 
overview. For simplicity, assume for now that A: -|- 1 is a multiple of m. We assume that there is an 
algorithm that uses fewer than n-\-m — k registers, and construct an execution in which processes 
return A: -|- 1 different values in some instance of set agreement, contradicting the A:-agreement 


4 


property. The proof first constructs c = disjoint sets Qi,Q 2 , ■ ■ ■ ,Qc of m processes each, and 
an execution a. that passes through a sequence of configurations D\ , , • ■ ■, T>c with the following 

property. For 1 < i < c, every possible execution fragment by the processes in Qi starting from Di 
writes only to registers that are overwritten immediately after Di in a. Moreover, processes in Qi 
take no more steps after Di in a. We can then splice into a any execution fragment by processes 
in Qi at Di, knowing that the rest of a will not be affected, since all evidence of the inserted 
steps will be overwritten. For each group Qi, the fragment we splice into o. accesses a “fresh” 
instance of set agreement that was never accessed during a. (In each fragment that is spliced in, 
only the m processes in Qi take steps, so all Propose operations terminate and the processes will 
eventually reach and complete the fresh instance of set agreement.) We ensure that these groups of 
m processes output disjoint sets of m different values each for this one instance of set agreement, 
for a total of c • m = A: + 1 different outputs, a contradiction. 

Theorem 2. Any algorithm for m-obstruction-free repeated k-set agreement among n processes 
requires at least n -\- m — k registers. 

Proof. To derive a contradiction, assume there exists an algorithm for m-obstruction-free repeated 
fe-set agreement using r = n-\-m — k — 1 registers. Let c = • Since k > m, we have c > 2. 

We define a block write to a set A of registers by a set P of processes to be an execution fragment 
in which each process of P takes a single step, such that the set of registers written during the 
fragment is A. 

We first construct an execution 

Co ^ T>i ^ Cl ^ T>2 ^ ^2 ^ ^ Cc-l (1) 

and sets Ai,..., Ac-i of registers such that Cq is the initial configuration and for all j, 

1. aj is an execution fragment containing only steps by two disjoint sets Pj and Qj of processes 
that goes from configuration Cj-i to configuration Dj, 

2. fij is a block write to Aj by Pj that goes from configuration Dj to configuration Cj, 

3. IQil = /c + 1 — (c — l)m, 

4. if j > 1, \Qj\ = m, 

5. \Pj\ = \Aj\, 

6. Qj n Qj> = 0 for f / j, 

7. Qj n Pji = 0 for j' > j, and 

8. there is no execution fragment starting from Dj in which only processes in Qj take steps and 
some process writes outside Aj. 

Base case (j = 0): Let Cq be the initial configuration. 

Inductive step: Let 1 < j < c — 1. Assume we have constructed the execution from Co to 
Cj-i satisfying all the properties. The algorithm in Figureconstructs the execution fragment aj 
and the sets Pj, Qj and Aj. Then, let /3j be the execution fragment starting from Dj where each 
process in Pj takes a single step and let Cj be the resulting configuration. 
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1 let Oj be the empty execution fragment 

2 Dj ^ Cj-i 

3 Pj ^ 0 

4 Aj i — 0 

5 if j > 1 then size •(— m else size ■(— A: + 1 — (c — l)m 

6 let Qj be a set of size processes disjoint from Qi U Q 2 U • • • U Qj-i 

7 loop until no execution fragment starting from Dj by Qj writes outside Aj 

8 let 6 be an execution fragment starting from Dj by Qj until some process q G Qj is poised for 

the first time to write to a register that is not in Aj and let R be that register 

9 CXj i — CXj ‘ S 

10 let Dj be the configuration reached from Cj-i by performing aj 

11 let q' be some process outside QiU Q 2 ^ ■ ■ ■ U Qj U Pj 

12 Aj i — Aj U {P} 

13 Pj i — Pj U 

14 Qj ■(— {Qj — {g}) U {q'} 

15 end loop 

16 output aj, Dj , Pj , Qj , Aj 

Figure 2: Algorithm used in the proof of Theorem]^ to construct aj, Dj,Pj, Qj and Aj. 

Observe that the construction algorithm terminates: each loop iteration adds a new register to 
Aj, so it terminates after at most r iterations. We next check that the required processes on line 
0 and 0 exist. When j = 1, we have size = k + 1 — {c — l)m = k + 1 — ■ m + m < m < n, 

so one can choose the required processes on line 0. For j > 1, one can choose the process on line 0 
because 

\Qi U • • • U Qj-i\ = k + 1 — {c — l)m + (j — 2)m 

(by induction hypothesis and 
< k + 1 — {c — l)m + (c — 3)m 
(since j < c — 1) 

= k + 1 — 2m < n — 2m 
(since k < n). 

Similarly, one can choose the required process q' at line 0 because 

IQi U • • • U Qj U Pj\ 

< k + 1 — 2m + I Qj I + I Pj I 

(since |Qi U • • • U Qj-i| < k + 1 — 2m) 

< k + 1 — m + r — 1 

(since |Qj| = m and |Pj| = |Aj| < r — 1) 

= n — 1 

(since r = n + m — k — 1). 

We verify the construction satisfies all of the properties. Line 0 of the algorithm updates Dj 
each time aj is updated, to ensure property 1. Property]^ is true by definition of f3j and Cj. Qj is 
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initialized to a set whose size satisfies property or on line 0 and the size of this set is preserved 
whenever Qj is altered on line 0. Pj and Aj are initialized to be empty, and both are updated 
by adding one element to each on line 0 and 0, so they remain the same size after every iteration 
of the loop. (Note that Pj and Qj are disjoint at the beginning of each iteration of the loop, so 
line 0 does add a new process to Pj.) Every process placed in Qj at line 0 or 0 was chosen to 
be outside Qi U ... U Qj-i, guaranteeing property]^ Similarly, processes added to Pj are always 
outside Qi U ... U Qj-i, and whenever a process is added to Pj, it is removed from Qj, so property 
[^is satisfied. Finally, property is guaranteed by the exit condition of the loop. This completes 
the inductive construction. 

Now, let s be the maximum number of invocations of Propose by any process in the execution 
that takes the system to configuration Cc-i- Let Qc be a set of m processes disjoint from Qi U • • • U 
Qc-i- (These m processes exist since \Qi U • • • U Qc-i\ = k + l — m<n — m.) Let Dc = Cc-i- 

For each j G {1 ,..., c}, we now construct an execution fragment 7 ^ by the processes in Qj 
starting from Dj. Since \Qj\ < m, each Propose in 7 ^ must terminate. First, the processes in Qj 
run one by one until each completes its first s invocations of Propose. Then, the processes of Qj 
run their (s + l)th invocation of PROPOSE, each using its own id as its input value so that they 
decide \Qj\ different output values. By Lemmasuch an execution fragment exists. Note that for 
j < c, 7 j cannot write outside of Aj, by property]^ So, all traces of 7 j’s activity are obliterated by 
the block write 13j. Thus, we can insert 71 ,..., 7 c into execution (j^ at Z?i,..., Dc, respectively, and 
the resulting execution is still legal. In the resulting execution, the number of distinct outputs for 

C 

the (s + l)th instance of set agreement is \Qj\ = k + 1, violating fc-agreement. This completes 
the proof. □ 

4 Algorithm for Repeated Set Agreement 

4.1 One-shot k-set agreement 

We first give an algorithm that uses a snapshot object of r = n + 2m — k components to solve (one- 
shot) m-obstruction-free fe-set agreement, and then describe how to extend it to solve repeated 
set agreement. The one-shot algorithm is shown in Figure Roughly speaking, the first k — m 
processes to decide can output arbitrary values, but we ensure that the last i = n — k + m processes 
all agree on at most m different values (for a total of at most k different values). 

Each process stores its preferred value in its local variable pref. Initially, it prefers its own input 
value. Each process executes a loop in which it stores its pref and identifier into a component of 
the snapshot object, takes a scan of the snapshot object and updates its pre/variable based on the 
scan. The location i that the process updates advances in each iteration of the loop, as long as the 
process’s pref value remains the same. When the process updates its pref it does not advance to 
the next location: instead it updates the same location during the next iteration of the loop. 

The process repeats this loop until a scan returns a vector containing at most m different value- 
id pairs, at which point it returns one of those values. In each iteration, a process updates its pref 
value when it does not see any copies of its current value-id pair anywhere in the vector returned 
by the scan, except for the component it just updated, and it does see two copies of some other 
pair. In this case, it adopts the value of the pair that appears twice as its pref. 
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1 Shared variable: 

2 A: snapshot object with r = n + 2m — k components, each initially _L 

3 Propose(?;) 

4 pref •(— V 

5 i 0 

6 loop 

7 update ith component of A with {pref, id) 

8 s •(— scan of A 

9 if |{s[j] : 0 < j < r}\ < m and Vj, s[j] / _L then 

10 let ji ■<— min{ji : 3j2 > ji such that s[ji] = 'S[i 2 ]}j output value in s[ji] and halt 

11 if Vj 7 ^ i, s[j] ^ {±, {pref id)} and 3ji / j 2 such that s[ji] = s[j 2 ] then 

12 ji ^ min{ji : 3j2 > ji such that s[ji] = s[j 2 ]} 

13 pref value in s[ji] 

14 else i •(— (i + 1) mod r 

15 end loop 

16 end Propose 


Figure 3: Algorithm for m-obstruction-free k-set agreement. Code for a process with identifier id. 


The algorithm in Figure]^ is an improvement on the algorithm of [3], which was designed for 
the special case where m = 1 and uses 2{n — k) registers, compared to the n — k + 2 registers used 
by ours. 

We now prove that the algorithm in Figure [^indeed solves m-obstruction-free k-set agreement. 
It is easy to see that validity holds: the only values that can appear in the snapshot object or in a 
process’s local pre/variable are input values. Thus, only input values can be produced as outputs. 
Before proving /c-agreement and termination, we first establish the following invariant. 

Lemma 3. For each process identifier id, all the pairs in A with identifier id have the same value. 

Proof. To derive a contradiction, assume there is an execution that reaches a configuration C in 
which A[ii] = {vi,id) and A[i 2 ] = {v 2 ,id) where vi ^ V 2 . Let pid be the process with identifier id. 
Let ui and U 2 be the last steps before C in which pid updates A[ii] and A[i 2 ], respectively. Without 
loss of generality, assume ui is before U 2 . Then, between ui and U 2 , pu changes its pre/variable at 
line 0. Consider the first time after ui that pid performs such a change, and let i* and s* be the 
values of pid’s local variables i and s at that time. Since s* was obtained from a scan between m 
and C and A[ii] = {vi,id) throughout that interval, s*[ii] is {vi,id). Thus, i* = fi; otherwise the 
test on line 0 would not be satisfied, and pid would not change prefat line 0. Therefore, in the next 
iteration of the loop, pid will update location A[ii]. This update is after ui and no later than U 2 
(and hence before C), which contradicts the definition of ui as the last update performed by pid 
on A[ii] before C. □ 

To prove /c-agreement, let ^ = n — k-\-m. If at most n — l processes decide, then fc-agreement is 
trivial since n — i = k — m<k. So, consider an execution in which more than n — i processes decide. 
Order the processes that decide according to the times when each performs its last scan, and let qo 
be the (n—£+l)th process in this ordering. Let X be the set of at most m different pairs that appear 


in the vector that qq’s final scan returns. Let V be the set of values that appear in pairs of X. Then, 
\y\ < < "i- We prove that qo and all processes that come later in the ordering output values 

in V. Thus, the total number of values output is at most {n — i) + \ V\ < n — {n — k + m) + m = k. 

Lemma 4. In any configuration after qq performs its final scan, only pairs with values in V can 
appear in two or more locations of A. 

Proof. Let Cq be the configuration just after go's final scan. We shall show by induction that 
in each configuration reachable from Co, only pairs with values in V can appear in two or more 
locations of A. For the base case, consider the configuration Cq. By the definition of V, A contains 
only pairs with values in V, so the claim holds. 

For the induction step, suppose the claim holds in all configurations from Cq to some configura¬ 
tion Cl reachable from Cq. Let st be a step that takes the system from Ci to another configuration 
C 2 . We show that the claim holds in configuration C 2 . We need only consider the case where st is 
an update by some process pid- Let {v, id) be the pair that st stores in a component of A. 

Case 1: st is the first update by pid after Cq. li v , then st cannot cause a violation of the 
claim. \i V then A contains exactly one copy of {v,id) in configuration C 2 , since {v,id) ^ X, 
so again st preserves the claim. 

Case 2: st is not the first update by pid after Cq. Let Sid be the vector obtained by Pi^’s last 
scan before st. We show that v € V, and hence st preserves the claim, by considering two subcases. 

Case 2a: Sid satisfies the condition on line 0. Then, pid updates its pre/variable at line 0, so 
the value v is the value of a pair that appears twice in Sid. By the induction hypothesis, u G B. 

Case 2b; Sid does not satisfy the condition on line 0. We first argue that at least one pair 
appears twice in Sid. Recall that there are at most i—1 undecided processes in Cq. Since A contains 
at most m distinct pairs (|2f| < m) in Cq and at most 1 — 1 processes update A after Cq, Lemma 
implies that, when the scan sid is performed, A contains at most m + l — 1 = n + 2m — k — 1 distinct 
pairs. Since there are r = n + 2m — k locations in A, at least one pair appears twice in Sid. 

Since qq has previously output a value, Sid contains no T elements. Thus, the reason that 
Sid does not satisfy the condition on line 0 must be that for some j different from pid’s position i, 
Sid[j] = {pref id). Just before taking the scan Sid, Pid stores {v, id) in location i. This update occurs 
after Cq, since st is not the first update by pid after Cq. In the configuration after this update of 
location i, both Sid\j] and Sid[i] contain {v,id). So, by the induction hypothesis, v gV. □ 

Lemma 1^ implies that all processes after the (n — I)th. in the ordering can only decide one of 
the (at most) m values in V and, thus, ^-agreement is ensured. 

To prove m-obstruction-freedom, consider an execution where the set P of processes that 
take infinitely many steps has size at most m. To derive a contradiction, assume some process in 
P never decides. In each loop iteration, a process either keeps its preferred value and increments i 
(its location to update) modulo r or sets its preferred value without modifying i. We partition P 
into two subsets: the set NS of “non-stabilizing” processes that modify i infinitely often and the 
set S of “stabilizing” processes that eventually get stuck updating the same location i forever. 

Lemma 5. There is at least one process in NS. 

Proof. To derive a contradiction, assume the claim is false (i.e., P = S). Let /i be a time after 
which only processes in P take steps and no process changes its local variable i. Then there is a 
set M of at most m locations whose contents are updated after /r. Let NM be the set of at least 
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n + m — k > 2 locations that are not updated after /r. Let n' be any time when each process in P 
has performed at least one update after fi. Thus, at fi', every location in M contains a pair stored 
by a process in P. 

Let p be a process in P that performs a scan that returns a vector Sp after fj!. By the hypothesis, 
p changes its preferred value in every iteration after p!, so Sp satisfies the condition on line 0. Process 
p then changes pref to a value u in a pair (v, k) that appears twice in Sp. Since each component in 
M is updated by different processes, no two can contain the same pair after p'. We consider two 
cases. 

Case 1: in Sp, {v,k) appears in one component of M and one of NM. As (u,fc) is read from 
a component in M after p', p^ G P. Consider the time (after p) at which stores {v, k) in a 
component in M. Since no register in NM ever changes its value after p, in p^s subsequent scan, 
(u, fc) is in some register of NM and pk will not change its preferred value, contradicting the fact 
that P = S. 

Case 2: in Sp, (v, k) appears in two components of NM. By the definitions of NM and p', (v, k) 
is found twice in NM at all times after p. As p changes its preferred value after its next update, 
it must have found another pair that appears twice and was not in A previously. Then this new 
pair cannot be in two locations in NM. The pair cannot be in two locations in M either because 
all the locations of M are updated by different processes. Thus, this new pair is in one location of 
M and one location of NM. But, as we have seen in Case 1, this leads to a contradiction. □ 

Thus, some process updates each component of A infinitely often, yielding the following corol¬ 
lary. 

Corollary 6. There is a time after which A contains only pairs stored hy processes in P. 

By Corollary ^ there is a time v after which (1) A contains only pairs stored by processes in 
P. By Lemma p (2) all pairs in A with the same id have the same value. By the assumption, 
(3) 1^*1 < m. (1), (2) and (3) imply that after u, each time a process p € P performs a scan it 
finds at most m different pairs in the snapshot and decides. This contradiction establishes the 

m-obstruction-freedom property. 

Theorem 7. For 1 < m < k < n, there is an m-obstruction-free algorithm that solves k-set 
agreement among n processes using min(n + 2m — k, n) registers. 

Proof. We established above that the algorithm in Figure solves the problem using a snapshot 
object of n + 2m — k components. If n + 2m — k < n, the snapshot object can be implemented 
from n + 2m — k registers [5|. Otherwise, the snapshot can be implemented from n single-writer 
registers [UlIS]- □ 


4.2 Repeated k-set agreement 

The one-shot A:-set agreement algorithm can be transformed into an algorithm for repeated set 
agreement with the same space complexity to prove the following theorem. Since it is quite similar 
to the one-shot algorithm, we describe it briefly. 

The pseudocode for our repeated fc-set agreement algorithm is given in Figure It essentially 
follows the pseudocode of the one-shot algorithm (Figure]^, with additional “shortcuts” which a 
process may use to adopt a value output previously by another process that has already reached 
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1 Shared variable: 

2 A: snapshot object with r = n + 2m — k components, each initially _L 

3 Persistent local variables: 

4 i •(— 0 

5 t i — 0 

6 history ■<— empty sequence 

7 Propose(?;) 

8 t i — t “t" 1 

9 if \history\ > t then 

10 output the t-th value in history and halt 

11 pref •(— V 

12 loop 

13 update ith component of A with {pref, id, t, history) 

14 s •(— scan of A 

15 if 3j such that s[j] = {w, id' , t' , his) with t' > t then 

16 history ^ his, output the t-th. value in his and halt 

17 if |{s[j] : 0 < j < r}| < m and Vj, s[j] is neither _L nor of the form {w, q, t' , his) with t' < t then 

18 let ji ^ min{ji : 3j2 > ji such that s[ji] = s[j 2 ]} 

19 let w be value in s[ji] 

20 history ^ history ■ w 

21 output w and halt 

22 if Vj / i, s[j] ^ {±, {pref id, t, history)} and 3ji / j 2 such that s[ji] and s[j 2 ] contain 

identical t-tuples then 

23 ji i4iin{ji : 3j2 > ji such that s[ji] and s[j2] contain identical t-tuples} 

24 pref value in s[ji] 

25 else i •(— (i + 1) mod r 

26 end loop 

27 end Propose 


Figure 4: Algorithm for m-obstruction-free repeated k-set agreement. 


a higher instance of repeated set agreement. Also, a value stored by a process in a lower instance 
is treated as _L. Thus, a process decides in instance t only if all tuples found in A are stored by 
processes in instance t and there are at most m distinct tuples, or if another process has reached 
an instance higher than t. 

Each process p maintains a local variable history that stores a sequence of output values that 
have been produced in the first instances of repeated A:-set agreement. In the current instance t, p 
essentially follows the one-shot algorithm (Figure]^, except that it appends the current instance 
number t and history to each value it stores in the shared memory. Thus, each element of the vector 
returned by a scan of A contains either T or a tuple of the form {id,v,t',his). If t' > t, then pid 
has already completed instance t and his contains the corresponding output value. If this is the 
case, p adopts all the values output by pid for instances from t to t' — 1. It t' < t, indicating that 
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Pid has not yet reached instance t, then the position of A is treated as if it were _L in the one-shot 
algorithm. 

To prove A:-agreement, we focus on processes that produce their output for instance t without 
adopting a value from the history that another process stored in A. We call these t-deciding 
processes. Since each other processes that completes its tth Propose adopts one of the value of a 
t-deciding process, it suffices to prove that t-deciding processes output at most k different values. 
As in the proof for the one-shot case, we show that the last i = n—k+m t-deciding processes output 
at most m values. There is one complication in the argument: after the [n — I + l)th t-deciding 
process performs its last scan during instance t, processes may store a t'-tuple with t' < t. We show 
that each process can do this only in a single location, which ensures the agreement property for 
instance t is not disrupted. 

To show m-obstruction-freedom, consider an execution where the set P of processes that 
take infinitely many steps has size at most m. To derive a contradiction, assume some process 
in P does not complete a Propose. Let t be the smallest number for which some process does 
not complete its tth Propose and let P' be the set of processes that do not complete their tth 
Propose. Since the processes in P' never witness the presence of a process in a higher instance 
of set-agreement, the argument for the one-shot case can be applied to this set P' to obtain the 
desired contradiction. 

A detailed proof of the algorithm can be found in Appendix [A| 

Theorem 8. For 1 < m < k < n, there is an m-obstruction-free algorithm that solve repeated k-set 
agreement among n processes using min(n -|- 2m — k, n) registers. 

5 Lower Bound for Anonymous One-Shot Agreement 

We now turn to anonymous algorithms, where processes are not equipped with identifiers and 
are programmed identically. We also assume that the domain of possible input values is IN. In 
this section, we show that any n-process anonymous algorithm for m-obstruction-free (one-shot) 
k-set agreement requires registers. Note that this bound on space complexity reflects 

all three parameters: increasing n or m makes the problem harder and increasing k makes the 
problem easier. It also generalizes the anonymous result of Fich, Herlihy and Shavit (which is 
the special case when m = /c = 1) by showing the dependence on two additional parameters m and 
k. The assumption of anonymity allows us to add clones to an execution. A clone of a process p 
is another process p' that has the same input as p. Whenever p takes a step, p' takes an identical 
step immediately afterwards. 

Let A be an anonymous algorithm that solves m-obstruction-free k-set agreement among n 
processes using finitely many registers. For each set V of m distinct input values, fix an execution 
a{V) such that at most m processes take steps during a and output all values in V. (Such an 
execution exists, by Lemma [^) Let R(P) be the sequence of distinct registers written during 
a{V) in the order they are first written in a{V). For any sequence R of distinct registers, define 
t)(R) = {P c IN : |P| = m and R is a prefix of R(P)}. 

Lemma 9. Let r > 0 and suppose n > (m -|- Then, for i = 0,... ,r 1, there is a 

sequence R* of length i such that t)(Rj) is an infinite set. 

Proof. We prove the claim by induction on i. 
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Base case {i = 0): Rq is the empty sequence and t^(Ro) = {V C M : |y| = m} is infinite. 

Induction step: Let z G {1, 2,..., r + 1}. Assume there is a sequence Ri-i = {Ri, R 2 , ■ • •, Ri-i) 
such that 0(Rj _i) is infinite. 

The induction step is technical, so we begin with an informal overview. Let c = We 

hrst show that there cannot be c disjoint sets Vi ,..., 14 in t)(Rj_i) such that each a(14) writes 
only to registers in Rj_i; otherwise, we could glue together the a( 14 )’s so that each a( 14 ) is 
invisible to all the others, and the number of output values in this glued-together execution would 
be |14 U 14 U • • • U 14| = me > k. Then, the rest of the argument is easy: infinitely many sets 
in t)(Rj_i) must have register sequences of length at least i. Since there are only finitely many 
registers, infinitely many of those sets have the same register R in position i of their sequence. 
These form the infinite set t)(Rj), where R, = Rj_i • R. 

To derive a contradiction, assume that (*) there exist c disjoint sets I 4 ,..., 14 in t)(Ri _i) such 
that for all i, a(14) writes only to registers in Ri-i. Let Pi,..., Pc be c disjoint sets of m processes 
each. The following claim describes how we can glue together the q;(14)’s. If /3 is an execution and 
P is a set of processes, f3\P denotes the subsequence of (3 consisting of steps taken by processes in 
P. 

Claim: For j = 0,1,..., z — 1, there exists an execution with the following properties. 

1. Exactly processes outside of Pi U ... U Pc take steps during f3j. 

2. For ^ = 1,..., c, there is a write by some process in Pi to each of Ri, R 2 , ■ ■ ■, Rj during j3j. 

3. No process writes to any register outside of {Ri, R 2 -, ■ ■ ■, Rj} during f3j. 

4. For £ = 1,..., c, (3j\Pi is the prefix of a(14) up to but not including the first write to Rj+i 
(or the entire execution a( 14 ) if J = ^ — !)• 

We prove the claim by inductively constructing the executions f3j. 

Base case (j = 0): We build /3o by concatenating the maximal prefixes of 

a(14), 0 ( 14 )) • • • 5 Q:(14) that do not contain any writes, performed by process sets Pi,..., Pc, re¬ 
spectively. No processes outside Pi U • • • U Pc take steps in /3o. Property is vacuously satisfied. 
Properties and follow immediately from the definition of /3o. 

Inductive step: Let j G {!,...,z — 1}. Assume that there is a Pj-i satisfying the four 
properties. We describe how to construct /3j. 

For each i, we insert j — 1 clones of processes in P^, and we pause one clone just before the 
last write by a process in P^ to each of Pi,..., Rj-i- Such a write exists, by property of the 
induction hypothesis. Moreover, there are enough processes to create these clones, since the number 
of processes that take steps in /?j_i plus the c(j — 1 ) additional clones needed to construct Pj total at 
most mc +— 1 ) = mc-|- < mc+ < 777 ,^+ _ |~^^1 (^rn+ 

and by the hypothesis of the lemma, there are this many processes in the system. 

Let I3j_i be the execution that results from adding all of the clones to /3j-i. We add some more 
steps to the end of /3'_^ as follows. For each = 1,..., c, we add a block write by the clones of 
processes in P^ followed by steps of processes in Pi continuing the steps of q;(I 4) until some process 
is poised to write to Rj+i for the first time (or until the end of a(I4) if j = z — 1). (This is legal, 
because the block write ensures that all registers have the same state as they would have after 
[3j-i\P£, which is a prefix of a{Vi), by induction hypothesis S) Thus, we ensure that 13j satisfies 
property 
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By property]^ of the inductive hypothesis, the first newly added step by a process in Pi writes to 
Rj. Combined with induction hypothesis]^ this proves property]^ For j < i — 1, propertyholds 
because we stop the processes in Pi just before they write to any register outside of {Ri,..., Rj}. 
For j = i — 1, property follows from our assumption (*) that a{Vi) writes only to registers in 

Rj_i. 

The processes outside Pi U • • • U Pc that take steps in (3j are the processes that take 

steps in /?j_i plus the c{j — 1) clones that we added when constructing /3'_i. So the total number 

of such processes is satisfying property This completes the proof of the claim. 

In /3j_i processes in Pi output all m values in Vi (for all Pj. Since Vi,..., 14 are disjoint sets, 
there are at least cm = ■ m > k + 1 different output values in /3j_i. This contradicts the 

fe-agreement property. Thus, assumption (*) is false, so there are fewer than c disjoint sets in 
t)(Ri_i) such that a(Vi) writes only to registers in Ri-i. Thus, there are infinitely many sets V in 
t)(Rj_i) such that a{V) writes outside of Ri-i. Since there are only finitely many registers, there 
must be infinitely many of these sets V such that the first register outside of Rj-i written during 
a{V) is the same for all V. Call that register R. Let R* be obtained by concatenating R to the end 
of Ri-i- Then, there are infinitely many sets V such that Rj is a prefix of R(I^). This completes 
the proof. □ 

Theorem 10. Any anonymous algorithm that solves m-obstruction-free k-set agreement among n 
processes using registers must use more than registers. 

Proof. Assume an algorithm solves the problem using r registers where r < Then, 
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So, by Lemma there exists a sequence of r + 1 registers used in some executions of A, which 


is impossible since there are only r registers. 


□ 


6 Anonymous Algorithm for Repeated Set Agreement 

Theorem 11. There is an algorithm that solves m-obstruction-free repeated k-set agreement among 
n processes (for m < k) using (m + l)(n — A:) + + 1 registers. 
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The anonymous algorithm presented in Figure [^solves m-obstruction-free repeated k-set agree¬ 
ment among n processes (for m < k) using (m + l){n — k) + m? + 1 registers. The algorithm uses 
the same basic idea as the one in Section]^ It uses a snapshot object with r = (m + l)(n — A:) + 
components, which can be built anonymously and non-blocking using r registers [7]. Again, the 
idea is to allow the first i = n + m — k processes to choose arbitrary outputs and then ensure that 
the last n — i = k — m processes output at most m different values, for a total of at most k different 
values. 

For one-shot A:-set agreement, processes alternate between storing their preferred value in a 
component of the snapshot object A and performing a scan of A. The conditions for outputting a 
value and adopting a new preference differ from the algorithm in Section to compensate for the 
lack of identifiers. Whenever a process observes m or fewer different values in a scan, it can output 
the one that occurs most frequently. Otherwise, if a process sees fewer than (. copies of its own 
preference and at least I copies of another value, it adopts this other value as its preference. 

The adaptation of this algorithm to repeated consensus is similar to the technique used for the 
non-anonymous case. There is one additional complication: there is no known space-efficient wait- 
free anonymous snapshot implementation from registers, so we use a non-blocking implementation. 
Therefore, some processes may starve while accessing the snapshot object, under the condition that 
at least one process manages to complete infinitely many instances of A:-set agreement. 

To ensure that starving processes also complete their Propose operations we use one additional 
register H where “fast” processes write their outputs. Every process periodically checks H in a 
parallel thread (lines 0-0) and if it finds out that \H\ > t, where t is the instance of agreement the 
process is working on, it outputs the t-th value found in H. As in the non-anonymous case, the 
sequence of values that have been output in the instances of repeated fc-set agreement the process 
has completed so far is stored in a local variable history. To ensure that history is updated exactly 
once per instance of A:-set agreement, we require that the threads of a process are scheduled so 
that the pairs of lines 0~0, 0-0, and 0-0 are executed without interruption from the process’s other 
thread. 

The proof of correctness of our algorithm is given in Appendix [B| 


7 Concluding Remarks 

A small gap remains between the upper and lower bounds for non-anonymous repeated set 
agreement. The one-shot algorithm of [1] uses fewer registers than ours for one special case: when 
m = 1 and fc = n — 1, it uses two registers compared to our three. This suggests the upper bound 
could perhaps be improved to n + m — k. The gaps are larger for the other scenarios shown in 
Figure It would be interesting to see if there is an anonymous algorithm that uses linear space, 
rather than quadratic space. Another natural continuation of this work would be to extend the 
one-shot anonymous lower bound to the non-anonymous setting. However, closing the gap for the 
one-shot setting eludes us still. 
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A Proof of correctness of repeated set agreement 

In this section, we prove Theorem The pseudocode for our repeated k-set agreement algorithm 
appears in Figure]^ It essentially follows the pseudocode of the one-shot algorithm (Figure]^, 
with additional “shortcuts” which a process may use to adopt a value output previously by another 
process that has already reached a higher instance of repeated set agreement. Also, a value stored 
by a process in a lower instance is treated as T. Thus, a process decides in instance t only if all 
tuples found in A are stored by processes in instance t and there are at most m distinct tuples, or if 
another process has reached an instance higher than t. The local variable history initially stores an 
empty sequence and the local variable t is initially 0. The local variable i stores the location that 
the process updates and is initially 0. The values of these three local variables persist from one 
invocation of PROPOSE to the next. In particular, this means that the first location of a Propose 
is the last location of the previous Propose. 

A process updates components of the shared snapshot object with tuples of the form 
{v, id A, history), where v is the process’s preferred value, id is the identifier of the process, t 
indicates which instance of set agreement the process is currently working on, and history is a 
sequence of output values for instances of set agreement. We refer to a tuple whose third element 
is t as a t-tuple. 

To see that the algorithm satisfies validity, first observe that when a process invokes Propose 
for the tth time, the length of its history variable is at least t — 1. The value in every t-tuple in A 
and, thus, put in the tth position of a process’s local variable history, is the input value of some 
process’s tth invocation of Propose. 

The following Lemma reformulates Lemma for t-tuples, showing that A cannot contain more 
than one distinct t-tuple for a given process. 

Lemma 12. Let id be a proeess identifier and t be a positive integer. In any reachable configuration, 
all t-tuples with identifier id in A are identical. 

Proof. To derive a contradiction, assume that in some reachable configuration C, A\ii] = 
{vi,id,t,hisi) and A[i 2 ] = {v 2 ,id,t, hisi) such that {vi,hisi) {v 2 ,hisi). Let pid be the pro¬ 
cess with identifier id. By the algorithm, pid changes its history variable only when it switches to 
a higher instance of repeated agreement. Thus, hisi = his 2 and we must have vi V 2 . Let C be 
reached in some execution at time fi. Let ui and U 2 be the last update steps before /i in which pid 
updates A[ii] and A[i 2 \, respectively. Without loss of generality, assume that ui occurred before 
U 2 . Then, at some time between ui and U 2 , Pid changes its pre/variable in instance t (at line 0). 
Consider the first time after ui when pid performs such a change, and let i* and s* be the values 
of pid^s local variables i and s at that time. Since (1) A[ii] = {vi,id,t,hisi) at all times between 
ui and /i and (2) s* is obtained between ui and pL, s*[ii] must be equal to {vi,id,t, hisi). By the 
algorithm, i* = ii', otherwise, the test in line 0 would not be satisfied, and pid would not change 
pref in line 0. Therefore, in the next iteration of the loop, pid will update location A[ii]. This 
update is after ui and no later than U 2 (and hence before fi), which contradicts the definition of ui 
as the last update performed by pid to A\ii\ before pL. □ 

To show ^-agreement, we use arguments similar to the proof for the one shot algorithm. Let 
£ = n — k + m. We call a process t-deciding if it outputs a value at line 0 (i.e., without adopting 
a value from another process’s history value) during its tth invocation of Propose. If, for a given 
instance t, at most n — £ processes are t-deciding, then fc-agreement for instance t is immediate 
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since n — £ = k — m<k. Otherwise, consider an execution in which more than n — i processes 
are t-deciding. Order these processes according to the time that they perform their last scan in 
instance t, and let qq be the {n — i + l)th process in this ordering. Let X be the set of at most m 
different tuples that appear in go’s final scan and V be the set of values in X. Then, |1/| < |X| < m. 
We shall show that go and all processes that come later in the ordering output values in V. Thus, 
the total number of output values in instance t is at most {n — t) + \V\ <n—{n — k + m) + m = k. 

Lemma 13. After go performs its final scan in instance t, only t-tuples with values in V can appear 
twice in A. 

Proof. This proof is analogous to the proof of Lemma for the one-shot algorithm. Let Co be the 
configuration just after go’s last scan. We shall show by induction that each configuration reachable 
from Co, only t-tuples with values in V can appear in two or more locations of A. For the base 
case, consider the configuration Co. By the definition of V, A contains only tuples with values in 
V, so the claim holds. 

For the induction step, suppose the claim holds in all conhgurations from Cq to some conhgura- 
tion Cl reachable from Co. Let st be a step that takes the system from Ci to another configuration 
C 2 . We must show that the claim holds in configuration C 2 . We need only consider steps st in 
which some process pid stores a tuple {v, id, t, his) in A. 

Case 1: st is the first time pid stores a t-tuple after Cq. If v £ V, then st cannot cause a 
violation of the claim. v , then A contains exactly one copy of {v, id, t, his) in configuration 
C 2 , so again st preserves the claim. 

Case 2: st is not the first time pid stores a t-tuple after Cq. Let Sid be the vector obtained by 
Pid's last scan (at line 0) before st. Since Sid is not in the last iteration of the loop during instance 
t, Sid must not satisfy the conditions on line 0 or 0. We show that v £ V, and hence st preserves 
the claim, by considering two subcases. 

Case 2a: Std satisfies the condition on line 0. Since the condition on line 0 is not satisfied 
and the condition on line 0 is satisfied, every tuple in Sid is a t-tuple. Then, pid updates its pref 
variable at line 0, so the value v is the value of a t-tuple that appears twice in Sid. By the induction 
hypothesis, v £ V. 

Case 2b: Sid does not satisfy the condition on line 0. 

We call an update after Cq bad if it stores either a t'-tuple with t' < t or a t-tuple that is not 
in X. We first argue that each process can do bad updates to at most one location. To derive a 
contradiction, suppose some process does bad updates to two different locations after Cq. Consider 
the first process p to do a bad update to a second location. Process p's last bad update to one 
location and its hrst bad update to the second location must be in the same instance of Propose, 
because p must execute line 0 between them. Let Sp be the vector returned by the scan that p 
performs at line 0 during the iteration of the loop when it executes line 0. Then, Sp must not satisfy 
the conditions on line 0 or 0. Recall that at least n — i + 1 processes have updated A for the last 
time during instance t prior to Cq. So at most £ — 1 processes can do bad updates. Since no process 
has done bad updates to two locations before the p’s scan obtained the vector Sp, and no location 
of Sp contains a tuple with instance number greater than t, at least r — £ + I = m + 1 locations 
of Sp contain t-tuples in X. Since |X| < m, at least two locations of Sp contain the same t-tuple. 
This contradicts the fact that Sp does not satisfy the condition on line 0. Thus, each process can 
do bad updates to at most one location. 

Hence, at all times after Cq, at least r — (£ — 1) = m + 1 locations have not had any bad updates 
performed on them. Since Sid did not satisfy the condition on line 0, Sid must contain at least 
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m + 1 i-tuples in X, and therefore contains at least two identical t-tuples. Moreover, some 
process qo satisfied the condition on line 0 prior to the scan that returned Sid, so no component 
of Sid contains _L. Thus, the only reason Sid does not satisfy the condition on line 0 must be that 
for some j different from pus position i, = {v,id,t, his). Just before taking the scan Sid, Pid 
updates location i with {v,id,t, his). This update occurs after Cq, since st is not the first update 
by Pid after Cq. In the configuration after this update to location i, both Sid[j] and Sid[i] contain 
{v,id,t,his). So, by the induction hypothesis, v £V. □ 

Lemma [I^ implies that all t-deciding processes after the (n —£)th output values in V and, thus, 
a total of at most n — i + m = k values are output by t-deciding processes. The fe-agreement 
property follows. 

To prove m-obstruction-freedom, consider an execution where the set P of processes that 
take infinitely many steps has size at most m. To derive a contradiction, assume that some process 
in P completes only a finite number of Propose operations. Let t be the smallest number such 
that a process in P does not complete its tth Propose. Let P' be the set of processes in P that 
do not complete the tth Propose. By the algorithm, no process in P' ever witnesses the presence 
of a process in a higher instance; otherwise, it would output a value decided in instance t at line 0. 

Eventually, processes stop storing tuples with instance numbers t' < t in A. Below we reuse the 
arguments of the proof of Lemma to show that at least one process in P' updates each component 
of A inhnitely often. 

Recall that each time a process in P' executes the loop in instance t, it either keeps its preferred 
value and increments i (the next location to update) modulo r or changes its preferred value without 
modifying i. Let NS denote the set of processes in P' that increment i infinitely often and the set 
S denotes the rest of the processes in P\ i.e., the processes that eventually get stuck updating to 
the same location forever. 


Lemma 14. NS ^ 0. 


Proof. The proof is by contradiction. Assume it is not the case {P' = S). 

Let M be the set of at most m locations that processes in S eventually settle on. Note that no 
process in P — P' can update a location outside of M infinitely often because then the processes 
in P' would eventually see a tuple with instance number greater than t and complete their tth 
Propose operation. Let // be a time after which only processes in P take steps and no process 
updates a location outside of M. Let NM be the set of at least n + m — k > 2 locations that are 
never changed after p. 

Since all positions in NM that contain tuples of earlier instances are ignored, we simply reuse 
the arguments of the proof of Lemma to derive a contradiction. □ 


By Lemma 14 (1) there is a time after which only tuples stored by processes in P' are found in 
scans performed by processes in P\ and all of them are t-tuples. By Lemma 12, (2) all t-tuples in 
A of the same process are identical and (3) |P'| < |P| < m. (1), (2) and (3) imply that there is a 
time after which, whenever a process p £ P' performs a scan, it finds at most m different t-tuples 
in the returned vector and, thus, decides, contradicting the definition of P'. This completes the 
proof of the m-obstruction-freedom property. 

Thus, we have shown that the algorithm solves repeated k-set agreement using a snapshot 
object with n + 2m — k registers, which can be implemented using min(n, n + 2m — k) registers, as 
described in the proof of Theorem This completes the proof of Theorem 
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B Proof of correctness of anonymous repeated set agreement 


To prove Theorem 11 consider our algorithm in Figure The algorithm actually uses a non- 
blocking snapshot object with r = (m-|-l)(n —components, which can be built anonymously 
using r registers [7], plus one additional register. Each component of the snapshot object is initially 

T. 


In this algorithm, a process stores tuples of the form {v,t, history) where v is the process’s 
preferred value, t indicates which instance of set agreement the process is currently working on, 
and history is a sequence of output values for instances of set agreement. We refer to a tuple whose 
second element is t as a t-tuple. 

As an invariant, it is easy to see that each of the following can only store input values of some 
process’s t invocation of Propose: 


• a process’s pre/variable during the process’s tth invocation of Propose, 

• the first component of a t-tuple appearing in A, and 


• the tth element of any sequence that is stored in a process’s history variable, in the shared 
variable H or inside a tuple in A. 

Validity follows. 

Next, we prove the ^-agreement property. A process is t-deciding if it outputs a value on line 
0. Any other process that produces an output for its tth Propose operation outputs the same 
result as some t-deciding process, so it suffices to show that the t-deciding processes output at 
most k different values. As in Section]^ we show that the last i = n — k + m t-deciding processes 
output at most m different values, so that the total number of outputs for instance t is at most 
n — i + m = k values. 

If at most n — i processes are t-deciding, then fc-agreement is trivial for the tth instance of set 
agreement, since n — i = k — m<k. So, consider an execution in which more than n — i processes 
are t-deciding. Order the t-deciding processes according to the time that they perform their last 
scan in their tth invocations of PROPOSE, and let qo be the {n — i + l)th process in this ordering. 
Let X be the set of tuples that appear in qq’s final scan. Let V be the values that appear in tuples 
in X. We prove that qq and all t-deciding processes that come later in the ordering output values 
in V. 

We call an update of A after Cq a bad update if it stores a t'-tuple with t' < t or a t-tuple whose 
value is not in V. 


Lemma 15. After qq performs its final scan in its tth Propose operation, each process performs 
bad updates to at most one component of A. 

Proof. To derive a contradiction, assume that some process performs bad updates to two compo¬ 
nents of A after go's final scan scauQ. Consider the first process p to do a bad update on a second 
location. Let Sp be the vector returned by the last scan that p performs before its bad update 
to the second location. This scan causes p to execute line 0 so that it can perform an update on 
the second location. Thus Sp does not contain any t'-tuple with t' > t. Since n — i + 1 processes 
have performed their final scan of their tth Propose operation at or before scang, at most £ — 1 
processes can perform updates that store t'-tuples with t' <t after scang. By definition of p, none 
of those £ — 1 processes have performed bad updates on two different locations between scang and 
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p’s scan that returned Sp. Since scariQ returned a vector that contained only t-tuples, Sp must 
contain at most — 1 components that are either t^tuples with t' < t ox t-tuples with values not 
in V. So there are at least r — £ + 1 = (m + 1){£ — 1) + 1 — {£ — 1) = m{£ — 1) + 1 locations of 
Sp that contain t-tuples with values in V. Since |y| < m, one of the values in V must appear in 
t-tuples stored in at least £ locations. Thus p must adopt a value in V after it obtains the scan Sp, 
contradicting the fact that p’s next update after this scan uses a value not in V. □ 

It follows that at any time after go’s final scan, there are at most £ — 1 t-tuples in A with values 
that are not in V. Any t-deciding process ordered after go performs a final scan that returns only 
t-tuples, so one of the values in V must appear in at least £ of them, and is therefore the most 
frequent value in the scan. Thus, the value output by any such process must be in V. Hence, the 
total number of values output is at most {n — £) + \ V\ < n — {n — k + m) + m = k, ensuring that 
/c-agreement is satisfied. 

Finally, we prove m-obstruct ion-freedom. For this part of the proof, it is convenient to 
consider lines 0 to 0 to be a single atomic action. Since there is only one shared-memory access 
in this block of code, there is no loss of generality in this assumption: every execution has an 
equivalent execution where this block is executed atomically, so if we prove m-obstruction-freedom 
for executions that satisfy this assumption then it also holds for all executions. 

Consider an execution where at most m processes continue to take steps forever. Let P be the 
set of processes that complete infinitely many accesses to the snapshot object. P is non-empty, 
since the snapshot implementation we use is non-blocking, and 1^1 < m. To derive a contradiction, 
assume that some process in P never completes one of its Propose operations. Let t be the 
smallest number such that some process in P does not complete its tth Propose. Let P' be the 
set of processes in P that do not complete their tth Propose operation. Let be a time after 

• every process outside P has stopped performing updates on A, 

• every process in P' has begun its tth Propose operation, 

• every process xxx P — P' has begun its (t -|- l)th Propose operation, and 

• no component of A contains a t^tuple for any t' <t. 

It is possible to choose p to satisfy the last condition because each process in P' completes infinitely 
many iterations of the loop and therefore updates every location of A after p. Thus, eventually all 
t'-tuples with t' < t are overwritten. Note that after p, no component of A ever contains a f'-tuple 
with t' < t. 

We say that a value u is a candidate in a configuration C if it is either the pref value of some 
process in P' or it appears in a f-tuple in A. We shall prove that there is a configuration after 

p with at most m candidates. After that point, only those m values can appear in f-tuples in 

the snapshot object. It follows that every process in P' completes its tth Propose when it next 
performs a scan, which contradicts the definition of P'. 

Lemma 16. If, in some configuration C after p, a value v is not the pref of any proeess in P' 
and t-tuples with value v appear in fewer than £ eomponents of the snapshot object, then after some 
time, V will not he a candidate anymore. 
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Proof. To derive a contradiction, assume that some process in P' changes its local pref variable 
to V in some step after C. Consider the first such step by any process after C. Let scan be the 
scan performed in that step. Between C and scan, no process executing its tth Propose stores a 
t-tuple with value v, so the result of scan contains t-tuples with value v in at most i — 1 components, 
contradicting the fact that p adopts the value v in the step when it performs scan. 

Thus, no process in P' ever has v as its preferred value after C. So, no t-tuple with value v is 
ever stored in A after C. Since each process in P' executes infinitely many steps of its tth Propose 
operation, and increments its index i in every iteration of the loop, it eventually overwrites every 
component of A. Thus, there is a time (after C), after which no component of A contains a t-tuple 
with value v. After this time, v is never a candidate. □ 

Lemma 17. Whenever a process in P' performs a scan after p,, there is some value v that appears 
in t-tuples in at least I components of A. 


Proof. To derive a contradiction, suppose there is no such value v. Consider the configuration C 
immediately after the scan. By Lemma 16, only the values stored in pre/variables of processes in 
P' remain candidates forever. There are at most m such values. Thus, there is a time after which 
every t-tuple in A contains only those values. Whenever a process in P' performs a scan after that 
time, it will terminate, contradicting our assumption that no process in P' ever completes its tth 
Propose. □ 


For any configuration C and value v, let mult{C,v) be the number of components of A that 
contain t-tuples with value u in C plus the number of poised processes that are poised to perform 
an update and have pref v in C. The following lemma generalizes Lemma [T6| 

Lemma 18. Consider a value v. If, in some configuration C after p,, mult{C,v) < £, then after 
some time, v will no longer be a candidate. 


Proof. We first show that if a single step st takes the system from a configuration Ci to another 
configuration C 2 and mult{Ci, v) < i then mult{C 2 , v) < 1. If st is a step by a process in P — P', 
it can only decrease mult. If st is an update by a process in P', st may increase by one the number 
of components of A containing a t-tuple with value v, but then st will also decrease the number of 
processes poised to store a t-tuple with value v by one, so the value of mult cannot be increased 
by st. Finally, suppose st is an atomic execution of lines 0-0. In Ci, fewer than £ components of 
A contain t-tuples with value v (since mult{v,Ci) < £). Moreover, by Lemma 17, there is a value 
v' such that t-tuples with value v' appear in at least £ components of the scan performed during 
st. Thus, the process performing st adopts some value different from v as its pref. So, st cannot 
increase mult for v. 

Thus, in every configuration reachable from C, mult{C, v) < £. As argued above, any process 
in P' that performs a scan after C adopts a value different from v. Thus, eventually, no process will 
have its pre/equal to v, and at that time, v will be in at most l — \ components of A, so Lemma 
TB] ensures that v will eventually cease to be a candidate. □ 


Now, consider a configuration C immediately after some process has performed an update (after 
/i). There are {m + 1){£ — 1) -|- 1 registers and at most m — 1 processes in P' poised to perform 
an update. Thus, Yh mult{v, C) < {m + 1)£ — 1. Therefore, at most m values have mult{C, v) > £. 


All other values will eventually cease to be candidates, by Lemma 18, so eventually there will be at 
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most m candidates. All processes in P' will then terminate when they next perform a scan, which 
contradicts our definition of P'. 

Thus, we have shown that every process in P completes infinitely many Propose operations. 
There remains one more thing to show. There may be some processes not in P that takes infinitely 
many steps. (These are processes that starve in the non-blocking implementation of the snapshot 
object.) We must show that each such process p also completes all of its Propose operations. 
Processes in P write longer and longer sequences to H infinitely often and processes not in P 
eventually stop writing to H. Thus, for all t, p will eventually see a sequence in H of length at 
least t, and will then complete its tth Propose operation. 

This completes the proof of Theorem US We remark that for the one-shot case, the register H 
is not required, so we can solve the one-shot version using one less register. 


24 


